With recent communication technology development and widespread Internet use, various kinds of services that had been provided only off-line have been applied on-line. For supporting such on-line services, a service provider provides “Web Application” to service users, wherein “Web Application” functions as a gateway. However, if information which is input or output through the use of “Web Application”, and more particularly, confidential information such as the service users' financial information leaks to malicious web users, it may cause huge financial damages to the service users.
The current trends in computer-security hacking are that so-called black-hat hackers (malicious or criminal hackers) attempt to attack “Web Application” corresponding to the gateway which accesses the service users' information. In case of “Web Application” built without consideration for the security, it can be easily attacked by the black-hat hackers who exploit the information of service users.
“A Guide to Building Secure Web Applications”, published by OWASP (Open Web Application Security Project), discloses examples of attack types, that is, “SQL Injection”, “Cook Spoofing and Injection”, “File Upload and Download”, “Parameter Manipulation” and “XSS (Cross-Site Scripting)”. Among the aforementioned attack types against “Web Application”, “SQL Injection” and “XSS” are the most problematic, recently.
“SQL Injection” means an attack technique which obtains or exploits unauthorized information by mutating SQL query through input of an abnormal SQL command in a user authorization window or URL (Uniform Resource Locator) address-input window. If “SQL Injection” occurs, it may cause an abnormal pass of user authorization, an unauthorized viewing of data stored in database, or an unexpected operation of system through the use of a system command in the database.
In case of “XSS”, when users view a dynamically generated webpage with a malicious script injected thereinto by an attacker, the malicious script injected to the webpage is executed so that the attacker exploits other users' data. If “XSS” occurs, it may cause the user's cookie information leakage or the execution of malicious codes in the user's terminal.
To protect “Web Application” against the various attack types, there is a requirement to exclude the intrusion of attack types from each of parameters included in corresponding URLs. Ahead of the exclusion of the intrusion of attack types, a process of determining vulnerability to each attack type in all parameters included in each URL becomes more necessary.
However, even though each URL includes the same parameters, the process of determining vulnerability is applied to all parameters included in each URL, thereby wasting too much time to determine the vulnerability. In addition, if the process of determining vulnerability is repeatedly applied to the same URL or parameter, it causes redundant checks of determining vulnerability. Especially, in case of a large-scaled portal website, these problems become more serious.
The above information disclosed in this Background Art section is only for enhancement of understanding of the background of the invention and therefore it may contain information that does not form the prior art that is already known in this country to a person of ordinary skill in the art.